The Cost of Inaction

Bryan Nash was in a meeting when he realized that someone was trying to make a fraudulent purchase with his credit card.

On his cell phone, Nash, the chief information officer at McHenry Savings Bank in Illinois, received a text alert from Bank of America displaying the one-time pass code he would need to log in to his credit card account. Nash wasn't trying to log into his account, but he knew that whoever was didn't have the code, and he returned comfortably to the conversation at hand.

Nash would love to be able to offer the same sort of security to his bank's commercial customers, but like many bankers across the country, he has run into some roadblocks.

Many commercial customers balk at the added inconvenience of using new authentication systems, and many of the vendors that banks rely on to manage their payments systems have not updated their systems to offer state-of-the-art authentication services.

Speaking at a symposium on commercial payments fraud in May, she noted that electronic bank fraud declined dramatically in 2007, after regulators released guidance mandating stronger customer authentication controls.

But by late 2008, she says, criminals had adapted, and the rate of fraud has been on the rise ever since, with commercial payments as the target of choice."In many of the cases," she says, "the fraudulent transfers were made from business customers whose online business banking credentials had been compromised."

Federal law enforcement officials say that attempts to hack into business bank accounts are a growing threat, with increasingly sophisticated hackers running international efforts to collect customers' log-in credentials.

They sell batches of those credentials in online marketplaces, to other criminals, who have their own networks set up to transfer funds and withdraw cash.

Fraud in commercial accounts is not as much of a financial danger for banks as it is in retail accounts. Unlike an individual, a business is not protected from unauthorized transfers by the Federal Reserve Board's Regulation E. Commercial account holders are generally liable for any transactions authorized through a "commercially reasonable" procedure previously agreed upon by the bank and the customer.

However, the cost of damaged customer relationships andof defending against lawsuits brought by angry accountholders can be every bit as damaging as a financial loss.

The sticking point is that very few cases of electronic payments fraud originate at the bank; most are initiated by someone posing as a customer by using stolen authentication credentials. This leaves banks with a challenge. Though they need to reduce the possibility that one of their customers will be victimized, the largest security threat to business accounts is not under the bank's direct control, but the customer's.

Banks that take steps to address the problem, by supplying consumers with "tokens" that provide one-time access codes or other enhanced security features often face resistance from the very people they are trying to help. Others, dependent on a service bureau or software provider to integrate security measures into their systems, find that they are simply unavailable.

"Banks traditionally have sold convenience, and convenience has been one of the primary attractions of online banking," says Samuel A. Vallandingham, vice president and chief information officer of First State Bank, in Barboursville, W.Va. "Things that impede that convenience are seen as bad."

Vallandingham says that his bank recently revamped its online banking interface for commercial customers to make it more secure and faced strong objections from customers. "Several clients complained that they liked the old system better and that the new one was more cumbersome and difficult to use," he says. "Some threatened to switch banks, if we didn't make changes."

He says many of his customers simply don't see fraud as a threat that justifies the inconvenience of extra security procedures. And according to some researchers, they may be right.

While online fraud is a growing problem, the number of individuals and businesses victimized is relatively small. In a widely-cited study of why online customers tend to ignore much of the security advice they receive, Microsoft researcher Cormac Herley found that, in general, "most security advice simply offers a poor cost-benefit tradeoff to users and is rejected."

Because, in most cases, commercial customers are legally on the hook for payments authorized using an agreed-upon procedure, it would be tempting to leave them to face the losses on their own. But according to Vallandingham, that's not how most banks—particularly community banks—operate.

"Community banks may accept the loss or share the loss rather than sacrifice a customer relationship over one transaction," he says.

Nash of McHenry Savings says that his bank would like to offer commercial customers the same sort of authentication that allowed a simple text message to protect his credit card account from being hacked. But the bank's service bureau has yet to update its systems to support that relatively new technology."We are in the hands of our processor in terms of what we offer our customer," he says. "We want to offer more stringent protections, but we can't."

McHenry currently uses an industry-standard two-factor authentication system, but is very aware of the warnings coming from regulators.

"The Federal Financial Institutions Examination Council guidance says that this is evolving, but some of the processors haven't done anything to evolve," he says."Some processors have made the changes, some are behind the times, and some are not even looking at it."

Vallandingham of First State Bank has similar problems with the vendor supplying his bank's payments processing software.

"There are things I have asked my provider for but they are simply not willing to do," he says.

For banks concerned about protecting commercial accounts, there is some hope on the horizon.

The brief decline in online payment fraud in 2007 followed a rewrite of the FFIEC's guidance on user authentication. A further updating of the guidance is underway, and though it is unclear when it will be complete, it is likely to force payment processors to bring their systems up to speed.

But for now, says Vallandingham, the best course is to focus on making sure that both banks and commercial accountholders understand the threat.

"Pointing the finger or looking for legislation is not going to be the answer," he says. "The more education we can provide... the better off we will be."